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Something Old, 

Something New 

• New: Cloud describes the use of a collection 

of services, applications, information, and 
infrastructure comprised of pools of compute, 
network, information and storage resources. 

These components can be rapidly orchestrated, 
provisioned, implemented and decommissioned, 
and scaled up or down providing for an on- 
demand utility-like model of allocations and 
consumption 

• Old: The Network is the 
Computer (Sun Microsystems, 
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Cloud Computing Parts 


• NIST defines cloud computing 
by: 

• 5 essential characteristics 

• 3 cloud service models 

• 4 cloud deployment models 


mVirginiaTech 

Invent the Future 





Essential Characteristics 



• On-demand service 

• Get computing capabilities as 
needed automatically 

• Broad Network Access 

• Services available over the net 
using desktop, laptop, PDA, 
mobile phone 
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Essential Characteristics 


• Resource pooling 

• Provider resources pooled to 
server multiple clients 

• Rapid Elasticity 

• Ability to quickly scale in/out 
service 


Measured service 

• control, optimize services based on 
metering 
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Cloud Service Models 


• Software as a Service (SaaS) 

• We use the provider apps 

• User doesn’t manage or control the 
network, servers, OS, storage or 
applications 

• Platform as a Service (PaaS) 

• User deploys their apps on the cloud 

• Controls their apps 

• User doesn’t manage servers, IS, 
storage 
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Cloud Service Models 



• Infrastructure as a Service 
(laaS) 

• Consumers gets access to the 
infrastructure to deploy their stuff 

• Doesn’t manage or control the 
infrastructure 

• Does manage or control the OS, 
storage, apps, selected network 
components 
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Deployment Models 


• Public 

• Cloud infrastructure is available to 
the general public, owned by org 
selling cloud services 

• Private 

• Cloud infrastructure for single org 
only, may be managed by the org 
or a 3 rd party, on or off premise 
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• Community 

• Cloud infrastructure shared by 
several orgs that have shared 
concerns, managed by org or 
3 rd party 

• Hybrid 

• Combo of >=2 clouds bound by 
standard or proprietary 
technology 
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What, When, How to 
Move to the Cloud 

• Identify the asset(s) for cloud 
deployment 

• Data 

• Applications/Functions/Process 

• Evaluate the asset 

• Determine how important the 
data or function is to the org 
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Evaluate the Asset 



• How would we be harmed if 

- the asset became widely public & 
widely distributed? 

- An employee of our cloud provider 
accessed the asset? 

- The process of function were 
manipulated by an outsider? 

- The process or function failed to 
provide expected results? 

- The info/data was unexpectedly 
changed? 

- The asset were unavailable for a 
period of time? 
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Asset to Models 



• 4 Cloud Models 

• Public 

• Private, internal, on premise 

• Private, external 

• Community 

Hybrid 

• Which cloud model addresses 
your security concerns? 
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• Map the data flow between 
your organization, cloud 
service, customers, other 
nodes 

• Essential to understand 
whether & HOW data can 
move in/out of the cloud 

• Sketch it for each of the models 

• Know your risk tolerance! 
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Cloud Domains 


• Service contracts should address 
these 13 domains 

• Architectural Framework 

• Governance, Enterprise Risk Mgt 

• Legal, e-Discovery 

• Compliance & Audit 

• Information Lifecycle Mgt 

• Portability & Interoperability 
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Cloud Domains 



• Security, Business Continuity, 
Disaster Recovery 

• Data Center Operations 

• Incident Response Issues 

• Application Security 

• Encryption & Key Mgt 

• Identity & Access Mgt 

• Virtualization 
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Security Stack 



• laaS: entire infrastructure 
from facilities to HW 


• PaaS: application, 
Middleware, database, 
messaging supported by laaS 



: self contained 
operating environment: 
content, presentation, apps, 
mgt 


y 
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Security Stack Concerns 



• Lower down the stack the 
cloud vendor provides, the 
more security issues the 
consumer has to address or 
provide 

• Who do you trust? 
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Key T akeaways 



• SaaS 

• Service levels, security, 
governance, compliance, liability 
expectations of the service & 
provider are contractually defined 

• PaaS, laaS 

• Customer sysadmins manage the 
same with provider handling 
platform, infrastructure security 
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Sample Clouds 




Mutlj-tcnancy in Virtualized Private Clouc * On-Premise Datacenter 


j 


Mutli-tcnancy in Virtualized Publ ; c Cloud - Off-Prem sc Datacenter 
— 



Private Cloud of Company XYZ with 3 business units, each with 
different security, SLA, governance and chargeback policies 
on shared infrastructure 


Public Cloud Provider with 3 business customers, each with 
diffe r ent security, SLA, governance and billing policies 
on shared infrastructure 


From “Security Guidance for Critical Areas of 
Focus in Cloud Computing v2.1 , p.1 8 




























Security Pitfalls 



• How cloud services are 
provided confused with where 
they are provided 

• Well demarcated network 
security border is not fixed 

• Cloud computing implies loss 
of control 
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Overall Security Concerns 



• Gracefully lose control while 
maintaining accountability 
even if operational 
responsibility falls upon 3 rd 
parties 

• Provider, user security duties 
differ greatly between cloud 
models 
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Governance 



• Identify, implement process, 
controls to maintain effective 
governance, risk mgt, 
compliance 


Provider security governance 
should be assessed for 
sufficiency, maturity, 
consistency with user ITSEC 
process 

I m 
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3 rd Party Governance 



• Request clear docs on how 
facility & services are assessed 

• Require defn of what provider 
considers critical services, info 

• Perform full contract, terms of 
use due diligence to determine 
roles, accountability 
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Legal, e-Discovery 



• Functional: which functions & 
services in the Cloud have legal 
implications for both parties 

• Jurisdictional: which 
governments administer laws 
and regs impacting services, 
stakeholders, data assets 

• Contractual: terms & conditions 
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Legal, e-Discovery 



• Both parties must understand 
each other’s roles 

- Litigation hold, Discovery searches 

- Expert testimony 

• Provider must save primary 
and secondary (logs) data 

• Where is the data stored? 

• laws for cross border data flows 
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Legal, e-Discovery 



• Plan for unexpected contract 
termination and orderly return 
or secure disposal of assets 

• You should ensure you retain 
ownership of your data in its 
original form 
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Compliance & Audit 



Hard to maintain with your sec/reg 
requirements, harder to demonstrate 
to auditors 

Right to Audit clause 

Analyze compliance scope 

Regulatory impact on data security 

Evidence requirements are met 

Do Provider have SAS 70 Type II, ISO 
27001/2 audit statements? 
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Info Lifecycle Mat 



Data security (CIA) 

Data Location 

• All copies, backups stored only 
at location allowed by contract, 
SLA and/or regulation 

• Compliant storage (EU 
mandate) for storing e-health 
records 
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Portability, Interoperability 



• When you have to switch 
cloud providers 

• Contract price increase 

• Provider bankruptcy 

• Provider service shutdown 

• Decrease in service quality 

• Business dispute 
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Security, BC, DS 



• Centralization of data = 
greater insider threat from 
within the provider 

• Require onsite inspections of 
provider facilities 

• Disaster recover, Business 
continuity, etc 
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Data Center Ops 


• How does provider do: 

• On-demand self service 

• Broad network access 

• Resource pooling 

• Rapid elasticity 

• Measured service 
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Incident Response 


Cloud apps aren’t always 
designed with data integrity, 
security in mind 

Provider keep app, firewall, 
IDS logs? 


Provider deliver snapshots of 
your virtual environment? 


Sensitive data must be 
encrypted for data breach 
regs - 
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Application Security 



• Different trust boundaries for 
laaS, PaaS, Saas 

• Provider web application 
security? 

• Secure inter-host 
communication channel 
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Encryption, Key Mgt 

• Encrypt data in transit, at rest, 
backup media 

• Secure key store 

• Protect encryption keys 

• Ensure encryption is based on 
industry/govt standards. 

NO proprietary standard 

• Limit access to key stores 

• Key backup & recoverability 

Test these procedures 
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ID, Access Mat 


• Determine how provider 
handles: 

• Provisioning, deprovisioning 

• Authentication 

• Federation 

• Authorization, user profile mgt 
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Virtualization 



• What type of virtualization is 
used by the provider? 

• What 3 rd party security 
technology augments the 
virtual OS? 

• Which controls protect admin 
interfaces exposed to users? 
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Cloud Model 
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Find the Gaps! 


Security Control Model 


^ Applications J 
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Information 


) 


c 


Management 
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SDLC, Binary Analysis, Scanners, 
WebApp Firewalls, Transactional Sec. 


DLP, CMF, Database Activity 
Monitoring, Encryption 


GRC, 1AM, VA/VM, Patch Management, 
Configuration Management, Monitoring 


c 

c 

c 
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Network 


) 
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NIDS/NIPS, Firewalls, DPI, Anti-DDoS, 
QoS, DNSSEC, OAuth 


Trusted Computing I Hardware & Software RoT & API's 


Physical 


H 
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Host-based Firewalls, HIDS/HIPS, 
Compute & Storage J Integrity & File/log Management, 

Encryption, Masking 


Physical Plant Security, CCTV, Guards 


Compliance Model 


c 


PCI 


) 


0 Firewalls 
0 Code Review 
0 WAF 
0 Encryption 
0 Unique User IDs 
0 Anti Virus 
0 Monitoring/ED S/IPS 
0 Patch/Vulnerability Management 
0 Physical Access Control 
0 Two Factor Authentication... 


C 

C 
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HIPAA 


GLBA 


SOX 
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Summary 



• We already do some sort of 
cloud computing 

• NFS, Samba shares, SAN, 
NAS, Web applications 

• Decide on public or private 
cloud 

• Public cloud implies loss of 
control 
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